Page MenuHomePhabricator
Create Task
Maniphest T13624

Provide an error log for `sshd` subprocesses
Open, NormalPublic
Actions

Description

See PHI2009. The sshd subprocesses (bin/ssh-auth and bin/ssh-exec) currently don't have a configurable error log. These processes are somewhat unique: most other processes log to the webserver error log or the daemon log.

See also T12611.

See also T4472, perhaps.

It would be nice to better unify all log behavior, but just adding log.ssh-error.path for now is probably the more practical approach.

Revisions and Commits

Restricted Differential RevisionRestricted Diffusion Commit
Restricted Differential RevisionRestricted Diffusion Commit
Restricted Differential RevisionRestricted Diffusion Commit
rARC Arcanist
Audit RequiredrARC4399ee6b7f00 Temporarily disable all logfile writability checks
D21578rARCb177e489b4c8 (stable) Promote 2021 Week 9
D21578rARC6d60422dbb7d Add a simple primitive for managing PHP runtime error logs
rP Phabricator
D21579rP10162ad43bc4 Support an SSH error log

Related Objects

Event Timeline

epriestley triaged this task as Normal priority.Feb 26 2021, 7:38 PM
epriestley created this task.
epriestley added a revision: D21578: Add a simple primitive for managing PHP runtime error logs.Feb 26 2021, 10:42 PM
epriestley added a revision: D21579: Support an SSH error log.Feb 26 2021, 10:46 PM
epriestley added a revision: Restricted Differential Revision.
epriestley added a revision: Restricted Differential Revision.Feb 26 2021, 10:49 PM
epriestley added a commit: rARC6d60422dbb7d: Add a simple primitive for managing PHP runtime error logs.Feb 26 2021, 10:54 PM
epriestley added a commit: rP10162ad43bc4: Support an SSH error log.
epriestley added a commit: Restricted Diffusion Commit.
epriestley added a commit: Restricted Diffusion Commit.
epriestley mentioned this in T12611: Write Phabricator HTTP and SSH logs in the production cluster.Feb 26 2021, 10:57 PM
epriestley mentioned this in 2021 Week 9 (Very Late February).Feb 26 2021, 11:09 PM
epriestley added a commit: rARCb177e489b4c8: (stable) Promote 2021 Week 9.Feb 26 2021, 11:10 PM
epriestley added a commit: Restricted Diffusion Commit.
epriestley closed this task as Resolved.Mar 1 2021, 6:12 PM

This deployed, and appears resolved.

epriestley reopened this task as Open.Mar 2 2021, 5:20 PM

This ran into some filesystem permissions issues and needs followup.

epriestley added a commit: rARC4399ee6b7f00: Temporarily disable all logfile writability checks.Mar 2 2021, 5:20 PM
epriestley added a comment.EditedMar 2 2021, 5:40 PM

In general, Phacility production hosts may interact with logs as several different users:

  • The default ubuntu user creates the log/ volume mount by checking out core/, creates log directories, and performs log maintenance (rotation and destruction).
  • The ubuntu user writes to phd logs.
  • The dweller user writes to sshd logs.
  • The www-data user writes to httpd logs.
  • Logs are organized by instance, so we can't (easily) guarantee all log directories exist before they are written. For example, if instance turtle signs up, we'd like to create turtle/ directories on disk at the time the logs are written. The on-disk layout is /logs/<instance>/<service>/<thing>.log, which is the preferred layout for human operators.
  • And: some hosts may have older logs or log directories in arbitrary states.

This is a big mess. It can be mostly navigated by:

  • Adding ubuntu, dweller, and www-data to a unix loggers group.
  • Making sure logs are always owned by group loggers and chmod 0664.
  • Making sure log directories are always owned by group loggers and chmod 0775.

I wrote a patch for this, but it's big, adds a lot of configuration, and generally feels like it's walking down a dark path. In particular, in the long term, it would be nice to send logs directly to an aggregation service (and ingest logs on disk). A lot of per-log filesystem configuration moves us further from this.

I'm imagining this instead:

  • A new Log daemon listens on a unix domain socket.
  • All first-party services that want to log write to it over the domain socket.
  • It can also ingest logs on disk.
  • It can buffer logs in memory.
  • It can report log status via the database.

From there, it can send logs to disk or some other service, including an instance of itself running on some other host.

In the short term, this produces a single writer and fixes all the filesystem junk, and provides a reasonable way to monitor log status. In the long term, this supports real logging behavior.

epriestley added a comment.Mar 4 2021, 12:08 AM

Evidence increasingly suggests that the root problem here was GET_LOCK() issue in T13627, not an error in an sshd subprocess context.

Phabricator · Built by Phacility